CN106327184B - A kind of mobile intelligent terminal payment system and method based on secure hardware isolation - Google Patents

A kind of mobile intelligent terminal payment system and method based on secure hardware isolation Download PDF

Info

Publication number
CN106327184B
CN106327184B CN201610702269.3A CN201610702269A CN106327184B CN 106327184 B CN106327184 B CN 106327184B CN 201610702269 A CN201610702269 A CN 201610702269A CN 106327184 B CN106327184 B CN 106327184B
Authority
CN
China
Prior art keywords
payment
user
intelligent terminal
secure hardware
mobile intelligent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201610702269.3A
Other languages
Chinese (zh)
Other versions
CN106327184A (en
Inventor
胡铭铭
王瑜
王雅哲
梁超
汪祖辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201610702269.3A priority Critical patent/CN106327184B/en
Publication of CN106327184A publication Critical patent/CN106327184A/en
Application granted granted Critical
Publication of CN106327184B publication Critical patent/CN106327184B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3821Electronic credentials
    • G06Q20/38215Use of certificates or encrypted proofs of transaction rights
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Accounting & Taxation (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Finance (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The present invention relates to a kind of mobile intelligent terminal payment systems and method based on secure hardware isolation, comprising: payment server, mobile intelligent terminal, secure hardware;Secure hardware has individual system, that is, independent operating environment independently of mobile intelligent terminal, protects the authentication data safety of user, and externally provides generating random number, certificate request, Information Signature service;There is secure storage function simultaneously, preset user authentication information can be protected;In payment system payment process, secure hardware needs user to input payment cipher to verify, pay public key certificate private key to being back to mobile intelligent terminal after payment data encrypted signature using user after being verified.The present invention is by user's payment certificate private key and password storage in secure hardware, it effectively prevent these sensitive datas to be obtained by attacker, and payment information will be confirmed by user in secure hardware, be effectively prevent payment information to be maliciously tampered, be substantially increased the safety of payment system.

Description

A kind of mobile intelligent terminal payment system and method based on secure hardware isolation
Technical field
The invention belongs to the field of identity authentication in information security, and in particular to a kind of movement based on secure hardware isolation Intelligent terminal payment system and method.
Background technique
In mobile intelligent terminal payment process, the certification authority (such as payment cipher, certificate etc.) of user is a kind of needs The resource of protection.Due to the opening and flexibility of its operating system, many attackers can use existing mobile intelligent terminal The loophole of mobile intelligent terminal system perhaps application steals user's input or preservation certification authority.Existing protection skill Art mainly uses the protection thought at the end PC on mobile intelligent terminal, such as security software, access control, but mobile intelligence Energy terminal is faced with many attacks for being different from the end PC, and (such as interface covers, and the identical input frame of attacker's forgery covers original Input frame steals user's input), and mobile intelligent terminal is easy to by ROOT, these protectiving schemes not can be well protected user Authenticate authority.
Secure hardware is independently of the hardware that mobile intelligent terminal is individually used for payment, it has the running space of itself, and It realizes and is isolated with mobile intelligent terminal system.It has I/O capability, and has certain computing capability.Due to it System is single, and function is simple, and attacker is difficult to be utilized the means such as system vulnerability and attacks, and can preferably protect that user's is defeated Enter, the display and preservation of data, provides compared with the higher safety protection of mobile intelligent terminal.
For published patent (a kind of mobile payment unit payment system and safe payment method, 201410341832) In safe payment method, this method shortcoming considers participation of the user to payment process, how to realize the exhibition of payment information safety Show and confirms to user, authorization of the completion for the safety for how making user explicit to payment, to prevent payment of the middle user to mistake Information is authorized.For in published patent (a kind of intelligent terminal safety payment system and method, 201310729282) Safety payment system and method, this method shortcoming consider two systems are not physically isolated really, once safety operation System is there are loophole, then attacker may never access in secure operating system and steal user's payment data.
Summary of the invention
Overcome the deficiencies in the prior art of the present invention combines PKI digital authenticating protection system, the isolation based on secure hardware Environment and mobile intelligent terminal payment scheme based on two-way trust propose a kind of intelligent movable based on secure hardware isolation Terminal payment system and method.
The present invention implements a kind of mobile intelligent terminal payment system and method based on secure hardware isolation, the system It is suitable for mobile intelligent terminal with method, the system and method include:
When the mobile intelligent terminal carries out delivery operation, the payment application installed on mobile intelligent terminal can be with clothes Payment general flow (such as generation order) is realized in device connection of being engaged in, can with the point-to-point wireless connection of secure hardware progress and carry out Data Encryption Transmission realizes user password verifying and the transmitting of payment authentication information.
Before secure hardware use is operated, by trusting preset operation for the public key certificate of payment server, CA Certificate, user pay public key certificate and import, and building forms server and the two-way trust systems basis of secure hardware, and requires user Payment cipher is set, which pays public key certificate to user in secure hardware for realizing user and carry out delivery operation Authorization.
When mobile intelligent terminal needs to carry out delivery operation, is interacted by payment application with server and complete payment data It generates, and payment data is encrypted by way of point-to-point wireless connection and is sent to after secure hardware is signed the service that returns Device completes verifying, specifically includes:
1) it when mobile intelligent terminal needs to carry out delivery operation, is interacted using payment application with server, completes payment Data (including User ID, trade company ID, commodity ID, quantity, unit price, total price, order ID, payment information ID, random challenge value etc.) Generation.
2) application is paid on mobile intelligent terminal and establish point-to-point connection with secure hardware, and carry out key agreement foundation and add Secret letter road.
3) mobile intelligent terminal pays application for random challenge, order ID, payment information ID, payment information (User ID, quotient Family ID, total price etc.) encryption after be sent to secure hardware.
4) it is shown after secure hardware decrypts payment information, user is confirming errorless rear input payment cipher, and to the branch Password is paid to be verified.After paying the corresponding private key of public key certificate to the data signature received using user after being verified, Symmetric cryptographic key is generated, signing messages, order ID, payment information ID are encrypted to obtain data A using the encryption key, Encryption key is encrypted using server public key to obtain B, combines both into digital envelope.Digital envelope is passed through built Vertical safe lane is back to mobile intelligent terminal.
5) digital envelope received is transmitted to server by mobile intelligent terminal.
6) server by utilizing private key ciphertext data B obtains encryption key, is being decrypted, is being obtained to A using encryption key Signing messages, order ID, payment information ID.Signing messages is verified using client public key, and verifies order ID, payment information ID Etc. after information, whether validation of payment succeeds.
7) payment result is back to mobile intelligent terminal by server.
The basic thought of this programme is described below, the present invention mentions on basis the advantages of drawing existing solution Go out the design philosophy of oneself, specifically, the technology of the present invention includes that scheme includes the following aspects:
Aspect one: payment system mainly includes three payment server, mobile intelligent terminal and secure hardware parts.Payment Server is interacted with mobile intelligent terminal, completes to remove other links other than user authentication in payment flow.Secure hardware with Mobile intelligent terminal interaction, completes user authentication part mostly important in payment flow.Utilize the independent operating of secure hardware Environment protects the authentication data safety of user;It is preset by the trust in secure hardware, using mobile intelligent terminal as channel, with Server establishes the payment implementation method of two-way trust.
Aspect two: secure hardware has individual system independently of mobile intelligent terminal, and it is raw externally to provide random number At, certificate request, the service such as Information Signature.Secure hardware has secure storage function, and preset user authentication can be protected to believe Breath.In payment process, secure hardware needs user's input payment cipher to verify, and is paid after being verified using user Public key certificate private key is to being back to mobile intelligent terminal after payment data encrypted signature.Mainly there are these points:
Random number generation module: secure hardware provides real random number generator, can once provide the random of random length Number, the random number can be used to the key as symmetric cryptography.
Pay signature blocks: secure hardware requests specified account after receiving order ID, payment information ID and payment information It number signs.Secure hardware will utilize hardware display reminding customer transaction (such as glittering transaction LED light), and payment information is shown Show the display screen in secure hardware, user is waited to input payment cipher confirmation.Payment cipher is used for the private key of decryption verification payment Carry out signature operation.
Trusted certificates module: secure hardware is stored with preset trusted certificates, public key certificate, CA including payment server Certificate, user pay public key certificate.These trusted certificates are obtained by the index of agreement.
Aspect three: this method provides the mobile intelligent terminal payment system and method being isolated based on secure hardware, mainly exists Sensitive data is protected in payment whole flow process.Data are believed in payment server and mobile intelligent terminal interaction by encryption Pipe protection, data are protected in mobile intelligent terminal and secure hardware interaction by encryption channel.The sensitive data of user such as user Payment certificate private key is stored in secure hardware, and attacker can not read sensitive data.The number transmitted via mobile intelligent terminal According to for dynamic ephemeral data, fail after the completion of payment process.Pass through the protection of encryption channel and secure hardware, attacker The payment information of user can not be obtained, the safety in payment process is comprehensively improved.
Compared with prior art, the present invention having the advantage that
(1) by user's payment certificate private key and password storage in secure hardware, these sensitive datas is effectively prevent to be attacked The person of hitting obtains, and substantially increases the safety of payment system.
(2) payment information will be confirmed by user in secure hardware, effectively prevent payment information to be maliciously tampered, into one Step improves the safety of payment system.
Detailed description of the invention
Fig. 1 is that the present invention implements overall framework;
Fig. 2 is in invention based on the flow chart for trusting preset clean boot;
Fig. 3 is the flow chart of the mobile intelligent terminal payment implementation method in the present invention based on two-way trust.
Specific embodiment
For the purpose of the present invention, advantage and technical solution is more clearly understood, below by way of specific implementation, and combine Attached drawing, the present invention is described in more detail.
As shown in Figure 1, the method is specifically implemented by the following steps:
One, based on the implementation method for trusting preset secure hardware
Secure hardware trust is preset, refers to and leads in secure hardware for before paying, needing to carry out certificate to secure hardware Enter, the initialization operations such as user password setting, the preliminary trust systems for establishing payment.Being preset in secure hardware has payment to take The public key certificate of business device, CA certificate, user pay public key certificate.The public key certificate of payment server is mainly used for symmetric cryptography Key is encrypted, and realizes the encapsulation of digital envelope;CA certificate is used for secure launch process, realizes the verifying to secure hardware; User pays public key certificate and is mainly used for showing user identity to server.User needs that payment cipher is arranged in secure hardware, The payment cipher, which will be used to pay user the corresponding private key of public key certificate, to be encrypted, and during continuation payment, is needed User inputs payment cipher, to get paid the corresponding private key of public key certificate.
As shown in Fig. 2, being divided into mirror image on three component parts, including cured sheets, root in secure hardware secure launch process Verify packet mirror image, secure firmware.Wherein, mirror image contains check code, and the code of load root verifying packet mirror image in cured sheets; Root verifying packet mirror image contains signature hash check value, the check code of root verifying packet mirror image, and the code of load secure firmware; Secure firmware includes the signature hash check value of secure firmware, security system code;Detailed process is as follows:
(1) system electrification loads mirror image in cured sheets, and mirror image reads root verifying packet mirror image and with preset CA in cured sheets Certificate calculates its Hash, and is compared with the hash check value of storage.If consistent, root verifying packet mirror image is loaded, Root verifying packet mirror image operation is jumped to, otherwise, then stops starting.
(2) root verifying packet mirror image reads secure firmware, and calculates the signature cryptographic Hash of secure firmware, in secure firmware Signature hash check value is compared verifying.It is no if always, loading secure firmware and jumping to secure firmware operation Then, stop starting.
(3) secure firmware brings into operation, and loads and run random number generation module, payment signature blocks, trusted certificates mould Block.
After secure hardware starting, mainly there are generating random number service, trusted certificates service, and provide for mobile intelligent terminal Digital signature service is paid, is specifically included that
Generating random number service: secure hardware provides randomizer, can once provide the random number of random length, The random number can be used to the key as symmetric cryptography.It pays Digital signature service and sends RANDOM NUMBER request to secure hardware, and take With parameter N (length that N is description request random number), in correct situation, secure hardware returns to the random number that length is N.It is no Then return to error code.
Pay Digital signature service: secure hardware requests specified account after receiving order ID, payment information ID and payment information It number signs.Secure hardware will utilize hardware display reminding customer transaction (such as glittering transaction LED light), and payment information is shown Show the display screen in secure hardware, user is waited to input payment cipher confirmation.Payment cipher is used for the private key of decryption verification payment Carry out signature operation.After payment cipher is verified, Digital signature service is paid to generating random number service origination requests, is obtained symmetrical Encryption key is encrypted to obtain data A, utilizes service using the encryption key to signing messages, order ID, payment information ID Device public key encrypts encryption key to obtain B, combines both into digital envelope.Mobile intelligent terminal is sent to secure hardware Signature request is paid, parameter has signature algorithm ID, and random number length, the length of payment information, payment information ID, is ordered random number Single ID, payment buyer's account length, payment buyer's account, payment seller's account length, payment seller's account, payment amount.This A little cleartext informations for signature.Secure hardware platform receives parameter and is handled, and in correct situation, returns to the number letter of generation Envelope.Mistake returns to error code.
Trusted certificates service: secure hardware is stored with preset trusted certificates, public key certificate, CA including payment server Certificate, user pay public key certificate.These trusted certificates are obtained by the index of agreement.Digital signature service is paid to send out to secure hardware Trusted certificates module is sent, parameter is that certificate indexes ID.Secure hardware platform is handled according to parameter, in correct situation, is returned Certificate format, trusted certificates length and trusted certificates content.Mistake returns to error code.
Two, the mobile intelligent terminal based on two-way trust pays implementation method
As shown in figure 3, mobile intelligent terminal terminal payment scheme mainly relies on server certificate and user's payment certificate structure The two-way trust relationship built, the safety and correctness of process of guaranteeing payment.It is required that being needed pair before carrying out delivery operation process Secure hardware carries out trusting preset initialization operation.Complete payment flow includes the following steps:
(1) user submits User ID, quotient to server in the interior purchase for completing commodity of payment application of mobile intelligent terminal Family ID, commodity ID, quantity, unit price, the data such as total price, request generate order.
(2) data (User ID, trade company ID, commodity ID, quantity, unit price, total price) that server is transmitted according to payment application A new order is generated, and the order ID and order information of generation are inserted into database, then order ID is returned to Payment application.
(3) payment application selects corresponding order to be paid, and submits order payment request to server, and submit order ID。
(4) server generates a payment information according to its received order ID, and payment information ID is transmitted to payment and is answered With.Server can generate a random number S simultaneously, be returned to payment application simultaneously with payment information ID.
(5) payment application is established point-to-point wireless connection (can be Wi-Fi Direct, bluetooth etc.) with secure hardware, and Negotiate symmetric key using key agreement protocol, establishes encryption channel.
(6) payment application is by random number S, order ID, payment information ID, payment information (including Buyer ID, seller's account Number, payment amount) be sent to secure hardware after the symmetric key encryption that obtains by step (5).
(7) secure hardware utilizes the data of symmetric cryptographic key decryption step (6), and payment information is shown, prompts to use Family inputs payment cipher.
(8) user inputs payment cipher, and secure hardware is decrypted to obtain user's payment public key certificate correspondence according to payment cipher Private key, carry out signature operation with the private key.
(9) private key that secure hardware is obtained using (8) carries out random number S, order ID, payment information ID, payment information Signature, obtains signing messages, including signature value, public signature key ID.
(10) after secure hardware generates signing messages, start the encapsulation for carrying out digital envelope, generating random number service creation Random number is as symmetric key, trusted certificates service providing server certificate.
(11) secure hardware starts that digital envelope is calculated: the random number that step (10) is obtained as symmetric key, Signing messages, order ID, payment information ID are encrypted to obtain data A.Then with the public key in server certificate to symmetrical Key is encrypted to obtain data B, and data A, B form digital envelope.And digital envelope is sent to mobile terminal device.
(12) digital envelope received is transmitted to server by mobile intelligent terminal.
(13) after server obtains digital envelope, data B is decrypted first with server certificate corresponding private key Symmetric key is obtained, then data A is decrypted using symmetric key, obtains signing messages, order ID, payment information ID. Signing messages is verified with the CertPubKey of the corresponding user of payment information ID, confirmation Buyer ID, seller's account, payment The amount of money does not have mistake.And verify the legitimacy of order ID, payment information ID.After being verified, show server and the body of user Part is all correct, and two-way trust relationship has built up.The foundation of the relationship then illustrates that this pays and completes, and can carry out the behaviour such as withhold Make.Payment result is returned to payment application by server.
(16) payment application display payment result is to user.
Above embodiments are provided just for the sake of the description purpose of the present invention, and are not intended to limit the scope of the invention.This The range of invention is defined by the following claims.It does not depart from spirit and principles of the present invention and the various equivalent replacements made and repairs Change, should all cover within the scope of the present invention.

Claims (2)

1. a kind of mobile intelligent terminal payment system based on secure hardware isolation, comprising: payment server, intelligent movable are whole End, it is characterised in that: increase secure hardware in paid payment system;Payment server is interacted with mobile intelligent terminal, is completed Other links other than user authentication are removed in payment flow;Secure hardware is interacted with mobile intelligent terminal, completes payment flow In mostly important user authentication part;It is preset by the trust in secure hardware, using mobile intelligent terminal as channel, with service Device establishes the payment implementation method of two-way trust;
Secure hardware has individual system, that is, independent operating environment, protects the certification number of user independently of mobile intelligent terminal According to safety, and generating random number is externally provided, certificate request, Information Signature service;There is secure storage function, Neng Goubao simultaneously Protect preset user authentication information;In payment system payment process, secure hardware needs user's input payment cipher to test Card, it is whole to intelligent movable is back to after payment data encrypted signature using user's payment public key certificate private key after being verified End;
The secure hardware includes random number generation module, payment signature blocks and trusted certificates module;Wherein:
Random number generation module: real random number generator is provided, can once provide the random number of random length, which can To be used to the key as symmetric cryptography;
It pays signature blocks: after receiving order ID, payment information ID and payment information, specified account being requested to be signed; Hardware display reminding customer transaction will be utilized, and payment information is shown into the display screen in secure hardware, user is waited to input branch Pay password confirming;Private key of the payment cipher for decryption verification payment carries out signature operation;
Trusted certificates module: equipped with preset trusted certificates, public key certificate, CA certificate, user's payment including payment server Public key certificate obtains these trusted certificates by the index of agreement;
The payment system protects sensitive data in payment whole flow process, and data are in payment server and intelligent movable It is protected when terminal interaction by encryption channel, data are protected in mobile intelligent terminal and secure hardware interaction by encryption channel;With The sensitive data such as user's payment certificate private key at family are stored in secure hardware, and attacker can not read sensitive data, via shifting The data of dynamic intelligent terminal transmitting are dynamic ephemeral data, are failed after the completion of payment process;Pass through encryption channel and peace The protection of devices at full hardware, attacker can not obtain the payment information of user, improve the safety in payment process comprehensively;
The secure hardware secure launch process is specific as follows:
(1) system electrification loads mirror image in cured sheets, and mirror image reads root verifying packet mirror image and with preset CA certificate in cured sheets The cryptographic Hash of root verifying packet mirror image is calculated, and is compared with the hash check value of storage;If consistent, load root and test Packet mirror image is demonstrate,proved, root verifying packet mirror image operation is jumped to, otherwise, then stops starting;
(2) root verifying packet mirror image reads secure firmware, and calculates the signature cryptographic Hash of secure firmware, breathes out with signing in secure firmware Uncommon check value is compared verifying;If consistent, load secure firmware and jump to secure firmware operation, otherwise, stop Only start;
(3) secure firmware brings into operation, and loads and run random number generation module, payment signature blocks, trusted certificates module;
Wherein, mirror image contains check code, and the code of load root verifying packet mirror image in cured sheets;Root verifying packet mirror image contains Root verifies signature hash check value, the check code of packet mirror image, and the code of load secure firmware;Secure firmware includes safety The signature hash check value of firmware, security system code;
After secure hardware starting, there are generating random number service, trusted certificates service, and provide payment signature for mobile intelligent terminal Service.
2. a kind of carry out mobile intelligence using the mobile intelligent terminal payment system described in claim 1 based on secure hardware isolation The method of energy terminal payment, it is characterised in that the following steps are included:
(1) when the mobile intelligent terminal carries out delivery operation, the payment installed on mobile intelligent terminal is applied to be taken with payment Business device connection, realizes that payment removes other links other than user authentication;Point-to-point wireless connection is carried out with secure hardware to go forward side by side Row Data Encryption Transmission realizes user password verifying and the transmitting of payment authentication information;
(2) before secure hardware use is operated, by trusting preset operation for the public key certificate of payment server, CA card Book, user pay public key certificate and import, and building forms server and the two-way trust systems basis of secure hardware, and user is required to set Determine payment cipher, which pays public key certificate progress delivery operation to user in secure hardware for realizing user and award Power;
(3) it when mobile intelligent terminal needs to carry out delivery operation, is interacted by payment application with server and completes payment data It generates, and payment data is encrypted by way of point-to-point wireless connection and is sent to after secure hardware is signed the service that returns Device completes verifying;
(3) include:
(31) it when mobile intelligent terminal needs to carry out delivery operation, is interacted using payment application with server, completes payment number According to generation, the payment data includes User ID, trade company ID, commodity ID, quantity, unit price, total price, order ID, payment information ID, random challenge value;
(32) application is paid on mobile intelligent terminal and establish point-to-point connection with secure hardware, and carry out key agreement and establish encryption Channel;
(33) mobile intelligent terminal payment application will be sent after random challenge value, order ID, payment information ID, payment information encryption To secure hardware;
(34) it is shown after secure hardware decrypts payment information, user is confirming errorless rear input payment cipher, and to the payment Password is verified, raw after paying the corresponding private key of public key certificate to the data signature received using user after being verified At symmetric cryptographic key, signing messages, order ID, payment information ID are encrypted using the encryption key to obtain data A, benefit Encryption key is encrypted with server public key to obtain B, combines both into digital envelope;By digital envelope by having been established Safe lane be back to mobile intelligent terminal;
(35) digital envelope received is transmitted to server by mobile intelligent terminal;
(36) server by utilizing private key ciphertext data B obtains encryption key, recycles encryption key that A is decrypted, is signed Name information, order ID, payment information ID verify signing messages using client public key, and verify order ID, payment information id information Afterwards, whether validation of payment succeeds;
(37) payment result is back to mobile intelligent terminal by payment server.
CN201610702269.3A 2016-08-22 2016-08-22 A kind of mobile intelligent terminal payment system and method based on secure hardware isolation Expired - Fee Related CN106327184B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610702269.3A CN106327184B (en) 2016-08-22 2016-08-22 A kind of mobile intelligent terminal payment system and method based on secure hardware isolation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610702269.3A CN106327184B (en) 2016-08-22 2016-08-22 A kind of mobile intelligent terminal payment system and method based on secure hardware isolation

Publications (2)

Publication Number Publication Date
CN106327184A CN106327184A (en) 2017-01-11
CN106327184B true CN106327184B (en) 2019-09-13

Family

ID=57742804

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610702269.3A Expired - Fee Related CN106327184B (en) 2016-08-22 2016-08-22 A kind of mobile intelligent terminal payment system and method based on secure hardware isolation

Country Status (1)

Country Link
CN (1) CN106327184B (en)

Families Citing this family (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106339939B (en) * 2016-08-26 2020-05-15 南京喜玛拉云信息技术有限公司 Non-tamper-able distributed bill system based on secure hardware and transaction processing method
CN108629186A (en) * 2017-03-23 2018-10-09 惠尔丰(中国)信息***有限公司 A kind of embedded-type security applied to Android system pays POS machine and method
CN107392589B (en) * 2017-07-01 2023-08-01 武汉天喻信息产业股份有限公司 Android system intelligent POS system, security verification method and storage medium
WO2019022674A1 (en) * 2017-07-27 2019-01-31 Nanyang Technological University Method of performing authentication for a transaction and a system thereof
CN107274185A (en) * 2017-08-15 2017-10-20 鼎讯网络安全技术有限公司 Safe and intelligent POS and method for secure transactions
CN107332671A (en) * 2017-08-15 2017-11-07 鼎讯网络安全技术有限公司 A kind of safety mobile terminal system and method for secure transactions based on safety chip
CN109495269B (en) * 2017-09-13 2023-11-03 厦门雅迅网络股份有限公司 Method and system for verifying credibility of vehicle-mounted terminal access equipment and vehicle-mounted terminal
CN109932953A (en) * 2017-12-19 2019-06-25 陈新 Intelligent supercomputer programmable controller
CN108377190B (en) * 2018-02-14 2020-11-24 飞天诚信科技股份有限公司 Authentication equipment and working method thereof
CN108599938A (en) * 2018-04-23 2018-09-28 北京数字认证股份有限公司 The method and system of mobile terminal private data are protected by credible performing environment
EP3785238A1 (en) * 2018-04-24 2021-03-03 Spectrum Brands, Inc. Certificate provisioning for electronic lock authentication to a server
CN108334927B (en) * 2018-04-25 2024-03-26 江苏恒宝智能***技术有限公司 NFC (near field communication) receipt tag and payment method thereof
CN108615154B (en) * 2018-05-01 2023-04-18 浙江浩安信息技术有限公司 Block chain digital signature system based on hardware encryption protection and using process
CN108846662A (en) * 2018-05-29 2018-11-20 数字乾元科技有限公司 wireless payment method and wearable device
US11620623B2 (en) * 2018-05-31 2023-04-04 Nxp B.V. Merchant transaction mirroring for personal point of sale (pPOS) for card present e-commerce and in vehicle transaction
CN109379335B (en) * 2018-09-14 2021-04-09 广州杰赛科技股份有限公司 Equipment checking method, system and storage medium
CN111917680A (en) * 2019-05-07 2020-11-10 ***通信集团湖南有限公司 Encryption system, method, server and storage medium
CN111915290A (en) * 2019-05-07 2020-11-10 北京创原天地科技有限公司 Mobile payment password keyboard based on key splitting protection under iOS system and implementation method thereof
CN112311752A (en) * 2020-05-09 2021-02-02 杭州绿鲸科技有限公司 Internet of things smart meter safety system and implementation method
CN111786733B (en) * 2020-05-14 2021-08-31 上海易托邦建筑科技有限公司 Optical interaction system and optical interaction control method
CN111832884A (en) * 2020-05-27 2020-10-27 福建亿能达信息技术股份有限公司 Clinician operation workload evaluation system
CN112101930B (en) * 2020-08-27 2022-10-25 东南大学 NFC payment system based on elliptic curve password
CN112702740B (en) * 2020-12-24 2023-04-07 国网浙江省电力有限公司经济技术研究院 Data safety transmission method of LoRa Internet of things system
CN112333208B (en) * 2021-01-04 2021-03-30 北京笔新互联网科技有限公司 Block chain credibility verification method and device and block chain all-in-one machine
CN113393242B (en) * 2021-04-27 2022-11-01 连通(杭州)技术服务有限公司 Method and equipment for safe off-line electronic payment of token model payers
CN113592484B (en) * 2021-07-16 2024-07-12 支付宝(杭州)信息技术有限公司 Account opening method, system and device
CN113891147A (en) * 2021-09-23 2022-01-04 亦非云科技(上海)有限公司 Video service system design method based on smart television application and external hardware

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103729587A (en) * 2013-12-23 2014-04-16 杭州晟元芯片技术有限公司 Chip integrating with fingerprint interface, fingerprint algorithm, security algorithms and correlated accelerators
CN104123646A (en) * 2014-07-21 2014-10-29 深圳前海君浩银通科技发展有限公司 Composite type mobile uKey and electronic wallet payment system
CN104281945A (en) * 2014-09-16 2015-01-14 马洁韵 Mobile safety payment system and safety payment method
CN105049945A (en) * 2015-08-13 2015-11-11 中国科学院信息工程研究所 Safety payment system and method based on smart TV multi-screen interaction
CN105205370A (en) * 2015-08-24 2015-12-30 北京恒信安科技有限公司 Safety protection method for mobile terminal, mobile terminal, safety system and application method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9571279B2 (en) * 2014-06-05 2017-02-14 Cavium, Inc. Systems and methods for secured backup of hardware security modules for cloud-based web services

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103729587A (en) * 2013-12-23 2014-04-16 杭州晟元芯片技术有限公司 Chip integrating with fingerprint interface, fingerprint algorithm, security algorithms and correlated accelerators
CN104123646A (en) * 2014-07-21 2014-10-29 深圳前海君浩银通科技发展有限公司 Composite type mobile uKey and electronic wallet payment system
CN104281945A (en) * 2014-09-16 2015-01-14 马洁韵 Mobile safety payment system and safety payment method
CN105049945A (en) * 2015-08-13 2015-11-11 中国科学院信息工程研究所 Safety payment system and method based on smart TV multi-screen interaction
CN105205370A (en) * 2015-08-24 2015-12-30 北京恒信安科技有限公司 Safety protection method for mobile terminal, mobile terminal, safety system and application method

Also Published As

Publication number Publication date
CN106327184A (en) 2017-01-11

Similar Documents

Publication Publication Date Title
CN106327184B (en) A kind of mobile intelligent terminal payment system and method based on secure hardware isolation
ES2887258T3 (en) Procedure for performing two-factor authentication
CN109150548B (en) Digital certificate signing and signature checking method and system and digital certificate system
CN109067539B (en) Alliance chain transaction method, alliance chain transaction equipment and computer readable storage medium
US9325708B2 (en) Secure access to data in a device
US8843415B2 (en) Secure software service systems and methods
CN102413132B (en) Two-way-security-authentication-based data downloading method and system
US9112679B2 (en) Storing a key in a remote security module
CN103684766B (en) A kind of private key protection method of terminal use and system
CN103326862B (en) Electronically signing method and system
CN103269271B (en) A kind of back up the method and system of private key in electronic signature token
CN112116344A (en) Secure remote payment transaction processing
RU2011153984A (en) TRUSTED AUTHORITY ADMINISTRATOR (TIM)
CN109495445A (en) Identity identifying method, device, terminal, server and medium based on Internet of Things
CN108141444B (en) Improved authentication method and authentication device
TW200917785A (en) Virtual subscriber identity module
CN103020825A (en) Safety payment authentication method based on software client
CN107040513A (en) A kind of credible access registrar processing method, user terminal and service end
CN103312691A (en) Method and system for authenticating and accessing cloud platform
CN101262342A (en) Distributed authorization and validation method, device and system
CN104182876B (en) Secure payment transactions method and system
CN112055019B (en) Method for establishing communication channel and user terminal
KR20140134663A (en) Method for verifying the identity of a user of a communicating terminal and associated system
CN104660412A (en) Password-less security authentication method and system for mobile equipment
CN101227276B (en) Method and system for public key safety transfer of digital mobile certificate

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20170911

Address after: 100093 Beijing city Haidian District minzhuang Road No. 89

Applicant after: Institute of Information Engineering, Gas

Address before: 100093 Beijing city Haidian District minzhuang Road No. 89

Applicant before: Institute of Information Engineering, Gas

Applicant before: Lenovo mobile communication software (Wuhan) Co., Ltd.

GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20190913

Termination date: 20200822